[PATCH] dm verity: add support for signature verification with platform keyring
Luca Boccassi
luca.boccassi at gmail.com
Thu Jul 4 09:12:25 UTC 2024
On Mon, 17 Jun 2024 at 23:00, <luca.boccassi at gmail.com> wrote:
>
> From: Luca Boccassi <bluca at debian.org>
>
> Add a new configuration CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
> that enables verifying dm-verity signatures using the platform keyring,
> which is populated using the UEFI DB certificates. This is useful for
> self-enrolled systems that do not use MOK, as the secondary keyring which
> is already used for verification, if the relevant kconfig is enabled, is
> linked to the machine keyring, which gets its certificates loaded from MOK.
> On datacenter/virtual/cloud deployments it is more common to deploy one's
> own certificate chain directly in DB on first boot in unattended mode,
> rather than relying on MOK, as the latter typically requires interactive
> authentication to enroll, and is more suited for personal machines.
>
> Default to the same value as DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
> if not otherwise specified, as it is likely that if one wants to use
> MOK certificates to verify dm-verity volumes, DB certificates are
> going to be used too. Keys in DB are allowed to load a full kernel
> already anyway, so they are already highly privileged.
>
> Signed-off-by: Luca Boccassi <bluca at debian.org>
> ---
> drivers/md/Kconfig | 10 ++++++++++
> drivers/md/dm-verity-verify-sig.c | 7 +++++++
> 2 files changed, 17 insertions(+)
>
> diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig
> index 35b1080752cd..1e9db8e4acdf 100644
> --- a/drivers/md/Kconfig
> +++ b/drivers/md/Kconfig
> @@ -540,6 +540,16 @@ config DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
>
> If unsure, say N.
>
> +config DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
> + bool "Verity data device root hash signature verification with platform keyring"
> + default DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
> + depends on DM_VERITY_VERIFY_ROOTHASH_SIG
> + depends on INTEGRITY_PLATFORM_KEYRING
> + help
> + Rely also on the platform keyring to verify dm-verity signatures.
> +
> + If unsure, say N.
> +
> config DM_VERITY_FEC
> bool "Verity forward error correction support"
> depends on DM_VERITY
> diff --git a/drivers/md/dm-verity-verify-sig.c b/drivers/md/dm-verity-verify-sig.c
> index 4836508ea50c..d351d7d39c60 100644
> --- a/drivers/md/dm-verity-verify-sig.c
> +++ b/drivers/md/dm-verity-verify-sig.c
> @@ -126,6 +126,13 @@ int verity_verify_root_hash(const void *root_hash, size_t root_hash_len,
> NULL,
> #endif
> VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
> +#ifdef CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING
> + if (ret == -ENOKEY)
> + ret = verify_pkcs7_signature(root_hash, root_hash_len, sig_data,
> + sig_len,
> + VERIFY_USE_PLATFORM_KEYRING,
> + VERIFYING_UNSPECIFIED_SIGNATURE, NULL, NULL);
> +#endif
>
> return ret;
> }
Gentle ping. Anything I can do to help move this patch forward? It
fixes a gap in our dm-verity story that I'd really like to see sorted
for the next release. We will use this in systemd, among other things.
Thanks!
More information about the Linux-security-module-archive
mailing list